Subject: [w00giving '99 #3] UnixWare 7's /var/sadm

w00w00 Security Development (WSD)

---------------------------------------------------------------------------
Discovered by: ktwo (ktwo@ktwo.ca)

When you apply patches to binaries (i.e., for bug fixes), the original,
unpatched binary files (with the suid/sgid bits maintained) are stored 
in /var/sadm.  By default, the permissions on this directory is 755.  
This allows normal users to execute and exploit old binaries leftover
from patching.

---------------------------------------------------------------------------
Patch:

Run 'chmod o-x /var/sadm' to remove execution privileges for normal
users.
---------------------------------------------------------------------------

Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum,
interrupt, dmess0r, marc, kitekoa, and K2

People who deserve hellos: nocarrier, minus, daveg, nny, dark 
spyrit (and beavuh), and w00god blake



Back to Advisories
Back to w00w00 webpage